In computer systems security, a traditional way of controlling access to computer resources is based on roles. Examples of computer resources include, but are not limited to, software systems and applications, files and folders, data objects, database tables, etc. System roles may be defined to encompass both business duties and access to corresponding resources needed to carry out those duties. Users may be assigned to different roles based on their competencies and responsibilities in an organization. The operations or actions that a user is permitted to perform may be determined by the user's role. For example, depending on his role a user may be allowed only to read a file, but not to modify it. Access rights to system resources and corresponding actions permitted to be performed on those resources are grouped by the system roles.
Typically, computer software systems grant access rights to information based on user roles. Operating systems, for example, may use access control lists (ACLs) to control which users can access files and folders. In another example, Database Management Systems (DBMSs) may enforce access control on system login level, on database level, and on objects within a database such as tables. In both examples, the degree to which the access to information is controlled extends only to a certain level of granularity. For example, operating systems may control access to user files, but not to portions of user files. DBMSs may control access to tables but may not control access on row-level or cell-level. In some scenarios, however, there may be a requirement to control access at a more granular level.